Channels

Services

Adobe patches 18 holes in Shockwave Player

Adobe has released update 11.5.7.609 for its Shockwave Player. The update fixes 18 security vulnerabilities, 17 of which Adobe classes as critical, as they allow crafted websites to inject and execute code. The problems are caused by buffer and integer overflows and memory errors in a range of functions for processing.

Shockwave Player offers additional features over and above those offered by Flash Player. It is typically used to display more complex and interactive presentations, games and other applications and, like Flash Player, is available as a browser plug-in. Adobe's naming convention (the Firefox Flash Player plug-in is called "Shockwave Flash") is the cause of some confusion among users. The majority of users just have Flash Player and are not affected by the vulnerabilities. However, Adobe's install for Shockwave always installs Flash Player alongside the Shockwave Player. A test to check whether Shockwave is installed is available online: Test Adobe Shockwave Player.

Adobe has also released security fixes for ColdFusion (8.0, 8.0.1, 9.0 on all supported operating systems) which fix two cross-site scripting vulnerabilities and a data leak.